diff --git a/luci-app-passwall/root/usr/share/passwall/app.sh b/luci-app-passwall/root/usr/share/passwall/app.sh index ef4c5a510..ad60e7cd1 100755 --- a/luci-app-passwall/root/usr/share/passwall/app.sh +++ b/luci-app-passwall/root/usr/share/passwall/app.sh @@ -1353,7 +1353,7 @@ start() { if [ "$use_nft" == 1 ] && [ -z "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then echolog "Dnsmasq软件包不满足nftables透明代理要求,如需使用请确保dnsmasq版本在2.87以上并开启nftset支持。" elif [ "$use_nft" == 1 ] && [ -n "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then - echolog "使用nftables进行透明代理,一些不支持nftables的组件如smartdns分流等将不可用。" + echolog "使用nftables进行透明代理,一些不支持nftables的组件如chinadns-ng等可能不会正常工作。" nftflag=1 start_redir TCP start_redir UDP diff --git a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.sh b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.sh index 7973a0ffe..e45ad20d1 100755 --- a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.sh +++ b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.sh @@ -67,7 +67,7 @@ restart() { add() { local FLAG TMP_DNSMASQ_PATH DNSMASQ_CONF_FILE DEFAULT_DNS LOCAL_DNS TUN_DNS REMOTE_FAKEDNS CHINADNS_DNS TCP_NODE PROXY_MODE NO_PROXY_IPV6 NO_LOGIC_LOG NFTFLAG eval_set_val $@ - lua $APP_PATH/helper_dnsmasq_add.lua -FLAG $FLAG -TMP_DNSMASQ_PATH $TMP_DNSMASQ_PATH -DNSMASQ_CONF_FILE $DNSMASQ_CONF_FILE -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS -TUN_DNS $TUN_DNS -REMOTE_FAKEDNS ${REMOTE_FAKEDNS:-0} -CHINADNS_DNS ${CHINADNS_DNS:-0} -TCP_NODE $TCP_NODE -PROXY_MODE $PROXY_MODE -NO_PROXY_IPV6 ${NO_PROXY_IPV6:-0} -NO_LOGIC_LOG ${NO_LOGIC_LOG:-0} -NFTFLAG ${NFTFLAG} + lua $APP_PATH/helper_dnsmasq_add.lua -FLAG $FLAG -TMP_DNSMASQ_PATH $TMP_DNSMASQ_PATH -DNSMASQ_CONF_FILE $DNSMASQ_CONF_FILE -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS -TUN_DNS $TUN_DNS -REMOTE_FAKEDNS ${REMOTE_FAKEDNS:-0} -CHINADNS_DNS ${CHINADNS_DNS:-0} -TCP_NODE $TCP_NODE -PROXY_MODE $PROXY_MODE -NO_PROXY_IPV6 ${NO_PROXY_IPV6:-0} -NO_LOGIC_LOG ${NO_LOGIC_LOG:-0} -NFTFLAG ${NFTFLAG:-0} } del() { diff --git a/luci-app-passwall/root/usr/share/passwall/helper_smartdns.sh b/luci-app-passwall/root/usr/share/passwall/helper_smartdns.sh index 7d6d4712c..36ad537ce 100755 --- a/luci-app-passwall/root/usr/share/passwall/helper_smartdns.sh +++ b/luci-app-passwall/root/usr/share/passwall/helper_smartdns.sh @@ -11,9 +11,9 @@ restart() { } add() { - local FLAG SMARTDNS_CONF LOCAL_GROUP REMOTE_GROUP REMOTE_FAKEDNS TUN_DNS TCP_NODE PROXY_MODE NO_PROXY_IPV6 NO_LOGIC_LOG + local FLAG SMARTDNS_CONF LOCAL_GROUP REMOTE_GROUP REMOTE_FAKEDNS TUN_DNS TCP_NODE PROXY_MODE NO_PROXY_IPV6 NO_LOGIC_LOG NFTFLAG eval_set_val $@ - lua $APP_PATH/helper_smartdns_add.lua -FLAG $FLAG -SMARTDNS_CONF $SMARTDNS_CONF -LOCAL_GROUP ${LOCAL_GROUP:-nil} -REMOTE_GROUP ${REMOTE_GROUP:-nil} -REMOTE_FAKEDNS ${REMOTE_FAKEDNS:-0} -TUN_DNS $TUN_DNS -TCP_NODE $TCP_NODE -PROXY_MODE $PROXY_MODE -NO_PROXY_IPV6 ${NO_PROXY_IPV6:-0} -NO_LOGIC_LOG ${NO_LOGIC_LOG:-0} + lua $APP_PATH/helper_smartdns_add.lua -FLAG $FLAG -SMARTDNS_CONF $SMARTDNS_CONF -LOCAL_GROUP ${LOCAL_GROUP:-nil} -REMOTE_GROUP ${REMOTE_GROUP:-nil} -REMOTE_FAKEDNS ${REMOTE_FAKEDNS:-0} -TUN_DNS $TUN_DNS -TCP_NODE $TCP_NODE -PROXY_MODE $PROXY_MODE -NO_PROXY_IPV6 ${NO_PROXY_IPV6:-0} -NO_LOGIC_LOG ${NO_LOGIC_LOG:-0} -NFTFLAG ${NFTFLAG:-0} } del() { diff --git a/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua b/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua index 1226c40b6..96cbd6b0d 100644 --- a/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua +++ b/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua @@ -12,6 +12,7 @@ local TCP_NODE = var["-TCP_NODE"] local PROXY_MODE = var["-PROXY_MODE"] local NO_PROXY_IPV6 = var["-NO_PROXY_IPV6"] local NO_LOGIC_LOG = var["-NO_LOGIC_LOG"] +local NFTFLAG = var["-NFTFLAG"] local LOG_FILE = api.LOG_FILE local CACHE_PATH = api.CACHE_PATH local CACHE_FLAG = "dns_" .. FLAG @@ -172,6 +173,8 @@ if not REMOTE_GROUP or REMOTE_GROUP == "nil" then sys.call('sed -i "/passwall/d" /etc/smartdns/custom.conf >/dev/null 2>&1') end +local setflag= (NFTFLAG == "1") and "inet#fw4#" or "" + if not fs.access(CACHE_DNS_FILE) then sys.call(string.format('echo "server %s -group %s -exclude-default-group" >> %s', TUN_DNS, REMOTE_GROUP, CACHE_DNS_FILE)) --屏蔽列表 @@ -186,7 +189,7 @@ if not fs.access(CACHE_DNS_FILE) then local address = t.address if datatypes.hostname(address) then set_domain_group(address, LOCAL_GROUP) - set_domain_ipset(address, "#4:vpsiplist,#6:vpsiplist6") + set_domain_ipset(address, "#4:" .. setflag .. "vpsiplist,#6:" .. setflag .. "vpsiplist6") end end) log(string.format(" - 节点列表中的域名(vpsiplist)使用分组:%s", LOCAL_GROUP or "默认")) @@ -196,19 +199,19 @@ if not fs.access(CACHE_DNS_FILE) then if line ~= "" and not line:find("#") then add_excluded_domain(line) set_domain_group(line, LOCAL_GROUP) - set_domain_ipset(line, "#4:whitelist,#6:whitelist6") + set_domain_ipset(line, "#4:" .. setflag .. "whitelist,#6:" .. setflag .. "whitelist6") end end log(string.format(" - 域名白名单(whitelist)使用分组:%s", LOCAL_GROUP or "默认")) local fwd_group = LOCAL_GROUP - local ipset_flag = "#4:whitelist,#6:whitelist6" + local ipset_flag = "#4:" .. setflag .. "whitelist,#6:" .. setflag .. "whitelist6" local no_ipv6 if subscribe_proxy == "1" then fwd_group = REMOTE_GROUP - ipset_flag = "#4:blacklist,#6:blacklist6" + ipset_flag = "#4:" .. setflag .. "blacklist,#6:" .. setflag .. "blacklist6" if NO_PROXY_IPV6 == "1" then - ipset_flag = "#4:blacklist" + ipset_flag = "#4:" .. setflag .. "blacklist" no_ipv6 = true end if REMOTE_FAKEDNS == "1" then @@ -231,10 +234,10 @@ if not fs.access(CACHE_DNS_FILE) then for line in io.lines("/usr/share/passwall/rules/proxy_host") do if line ~= "" and not line:find("#") then add_excluded_domain(line) - local ipset_flag = "#4:blacklist,#6:blacklist6" + local ipset_flag = "#4:" .. setflag .. "blacklist,#6:" .. setflag .. "blacklist6" if NO_PROXY_IPV6 == "1" then set_domain_address(line, "#6") - ipset_flag = "#4:blacklist" + ipset_flag = "#4:" .. setflag .. "blacklist" end if REMOTE_FAKEDNS == "1" then ipset_flag = nil @@ -262,12 +265,12 @@ if not fs.access(CACHE_DNS_FILE) then if _node_id == "_direct" then fwd_group = LOCAL_GROUP - ipset_flag = "#4:whitelist,#6:whitelist6" + ipset_flag = "#4:" .. setflag .. "whitelist,#6:" .. setflag .. "whitelist6" else fwd_group = REMOTE_GROUP - ipset_flag = "#4:shuntlist,#6:shuntlist6" + ipset_flag = "#4:" .. setflag .. "shuntlist,#6:" .. setflag .. "shuntlist6" if NO_PROXY_IPV6 == "1" then - ipset_flag = "shuntlist" + ipset_flag = "#4:" .. setflag .. "shuntlist" no_ipv6 = true end if REMOTE_FAKEDNS == "1" then @@ -303,9 +306,9 @@ if not fs.access(CACHE_DNS_FILE) then local gfwlist_str = sys.exec('cat /usr/share/passwall/rules/gfwlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"') for line in string.gmatch(gfwlist_str, "[^\r\n]+") do if line ~= "" then - local ipset_flag = "#4:gfwlist,#6:gfwlist6" + local ipset_flag = "#4:" .. setflag .. "gfwlist,#6:" .. setflag .. "gfwlist6" if NO_PROXY_IPV6 == "1" then - ipset_flag = "#4:gfwlist" + ipset_flag = "#4:" .. setflag .. "gfwlist" set_domain_address(line, "#6") end fwd_group = REMOTE_GROUP @@ -324,7 +327,7 @@ if not fs.access(CACHE_DNS_FILE) then for line in string.gmatch(chnlist_str, "[^\r\n]+") do if line ~= "" then set_domain_group(line, LOCAL_GROUP) - set_domain_ipset(line, "#4:chnroute,#6:chnroute6") + set_domain_ipset(line, "#4:" .. setflag .. "chnroute,#6:" .. setflag .. "chnroute6") end end end @@ -334,9 +337,9 @@ if not fs.access(CACHE_DNS_FILE) then local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"') for line in string.gmatch(chnlist_str, "[^\r\n]+") do if line ~= "" then - local ipset_flag = "#4:chnroute,#6:chnroute6" + local ipset_flag = "#4:" .. setflag .. "chnroute,#6:" .. setflag .. "chnroute6" if NO_PROXY_IPV6 == "1" then - ipset_flag = "#4:chnroute" + ipset_flag = "#4:" .. setflag .. "chnroute" set_domain_address(line, "#6") end set_domain_group(line, REMOTE_GROUP)